对于版本 1.21.5,这是我的解决方案:
步骤1:
ssh 到主节点,然后在步骤 2 中检查证书。
步骤2:
运行这个命令:kubeadm certs check-expiration
root@kube-master-1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 21, 2022 16:05 UTC <invalid> no
apiserver Oct 21, 2022 16:05 UTC <invalid> ca no
!MISSING! apiserver-etcd-client
apiserver-kubelet-client Oct 21, 2022 16:05 UTC <invalid> ca no
controller-manager.conf Oct 21, 2022 16:05 UTC <invalid> no
!MISSING! etcd-healthcheck-client
!MISSING! etcd-peer
!MISSING! etcd-server
front-proxy-client Oct 21, 2022 16:05 UTC <invalid> front-proxy-ca no
scheduler.conf Oct 21, 2022 16:05 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 19, 2031 16:05 UTC 8y no
!MISSING! etcd-ca
front-proxy-ca Oct 19, 2031 16:05 UTC 8y no
并看到昨天所有的都过期了。
步骤3:
所有现有证书的备份:
root@kube-master-1:~# cp -R /etc/kubernetes/ssl /etc/kubernetes/ssl.backup
root@kube-master-1:~# cp /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.backup
root@kube-master-1:~# cp /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.backup
root@kube-master-1:~# cp /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.backup
root@kube-master-1:~# cp /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.backup
步骤4:
要全部更新,请运行以下命令: kubeadm certs renew all
root@kube-master-1:~# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1023 15:15:16.234334 2175921 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
步骤 5:步骤 4 的最后一行告诉我们重要的注意事项:
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates
完成本次运行:
kubectl -n kube-system delete pod -l 'component=kube-apiserver'
kubectl -n kube-system delete pod -l 'component=kube-controller-manager'
kubectl -n kube-system delete pod -l 'component=kube-scheduler'
kubectl -n kube-system delete pod -l 'component=etcd'
步骤6:然后重新启动主节点。
systemctl restart kubelet
systemctl restart docker
步骤7:查看结果:
root@kube-master-1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1023 15:15:23.141925 2177263 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 23, 2023 07:15 UTC 364d no
apiserver Oct 23, 2023 07:15 UTC 364d ca no
apiserver-kubelet-client Oct 23, 2023 07:15 UTC 364d ca no
controller-manager.conf Oct 23, 2023 07:15 UTC 364d no
front-proxy-client Oct 23, 2023 07:15 UTC 364d front-proxy-ca no
scheduler.conf Oct 23, 2023 07:15 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 19, 2031 16:05 UTC 8y no
front-proxy-ca Oct 19, 2031 16:05 UTC 8y no
全部续订至 2023 年文章来源:https://www.toymoban.com/news/detail-675798.html
步骤8:将生成的证书拷贝到当前用户下
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
参考
https://stackoverflow.com/questions/49885636/kubernetes-expired-certificate文章来源地址https://www.toymoban.com/news/detail-675798.html
到了这里,关于k8s集群证书过期后,如何更新k8s证书的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
